How worried about app sec are you?
Vast majority of CISOs are concerned about app sec, while budgeting, staffing and environment all key additional fear factors...
A new study has highlighted the puzzle facing CISOs, or indeed anyone tasked with securing business applications in 2017. The central issue is that as more applications become publicly accessible, more breaches are occurring at the application level.
The good news is that the majority of CISOs - 94 per cent - are concerned about breaches in their publicly facing assets in the next 12 months, particularly within their applications.
However, the flipside is that 71 per cent of respondents face resourcing or budgeting issues within their organisations.
In spite of this, security budget holders are continuing to prioritise application security spending, with key investment areas including applications hosted in the cloud (59 per cent), public facing web applications (57 per cent), mobile applications (39 per cent); and APIs (32 per cent). Ilia Kolochenko, CEO of High-Tech Bridge said: “Gartner highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration, but companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk.”
The concern is driving increased use of application security tools and services, with the average CISO using 4.8 application security tools and services. According to the study from Bugcrowd, outside of crowdsourced programs the top three include penetration testing (80 per cent), incident response processes (79 per cent) and application vulnerability scanning (71 per cent).
Kolochenko continued: “Penetration testing is just one component of a corporate global security strategy, more precisely of its security testing part. Without other security solutions and processes, penetration testing won’t deliver much value, same as any other security product or service. It’s very important to properly integrate penetration testing into all other business processes – we need to thoroughly plan what to test, how to test and when to test.
“Afterwards, we also need a process to make sure that all the detected vulnerabilities were properly patched. Last but not least, people responsible for the vulnerabilities detected need to revise their procedures to avoid similar flaws and misconfigurations in the future.
“Today, the industry is shifting towards continuous security testing, as conducting ad hoc pentests twice a year, when new vulnerabilities appear every second day, is not enough. Another trend is that companies prefer to invest in defence technologies, rather than in security testing ones. Financially speaking, this certainly makes sense, nonetheless the security testing industry has a solid future, as without it one can never be sure if a security solution delivers what it claims.”
Ilia Kolochenko is speaking about web application security at the SC Congress in London today, Feb 23rd.
Other areas that are receiving spend include threat modelling (50 per cent), secure code review (54 per cent) and app security training (54 per cent). High-Tech Bridge’s ImmuniWeb platform offers an optimum blend of these application tools and services, delivering professional pen testing, intelligent vulnerability scanning and continuous monitoring in an scalable, cost effective package.
Despite the increased focus, the compromises continue, with a slew of incidents coming to light in early 2017 alone - such as access to over 60 US universities and government agencies web applications, obtained via trivial SQL injections, being discovered for sale on the Dark Web in February.
Researchers from High-Tech Bridge found that a massive 90 per cent of in-house developed web applications designed to handle medical, financial or other sensitive data are vulnerable to a high-risk improper access control or other application logic flaws, and similar results have just been uncovered in a separate survey.
According to the recent figures, some 80 per cent of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55 per cent are affected by cross-site request forgery and 37 per cent suffered from security misconfiguration. The study by Contrast Security shows that sensitive data exposure affects 69 per cent of these applications and is responsible for 26 per cent of all vulnerabilities.
It is becoming increasingly clear that in spite of rising concerns among security professionals, the situation remains grave. Well-documented vulnerabilities from the OWASP (Open Web Application Security Project) Top Ten frequently remain unpatched, and insecure code is increasingly one of the major business risks. Will increased and targeted spend be enough to turn the tide of application insecurity? One thing is for sure, like turning a super-tanker at sea, it’ll take quite some time to come around...